With breaches nearly certain, companies shift cybersecurity spending
By Jaikumar Vijayan, ThirdCertainty
For years, a major portion of security budgets has been spent on perimeter technologies like firewalls, anti-virus software and intrusion prevention systems. Organizations have tended to spend substantially less of their budgets on bolstering intrusion detection and response capabilities. But that finally may be changing.
A recent survey conducted by Pierre Audoin Consultants (PAC) in the United Kingdom shows that the traditional split in spending between planning, preparing and preventing an attack versus detecting and responding to one, is narrowing, even if only modestly. PAC polled 200 decision-makers in the U.K., France and Germany for their responses to a variety of questions pertaining to security spending, perimeter defenses and incident detection response.
Infographic: Companies plan shift in security spending
The responses showed a shift in spending toward detect-and-response capabilities and a corresponding move away from prevention-and-protection tools in many organizations. Over the next two years, organizations that participated in the survey expect to spend about 39 percent of their IT security budget overall on detection and response, up 16 points from the 23 percent they currently spend on those capabilities. The median spend is projected to rise 15 percent from 25 percent to 40 percent over the same period.
At the same time, spending on protection-and-prevention tools such as firewalls and antivirus tools is expected to trend downward 16 points, from an average of around 77 percent today to 61 percent in 2017. The median spend on these technologies is expected to drop from 75 percent to 60 percent.
“We see this as a rebalancing of cybersecurity spend to a more appropriate split of operational attention,” PAC said in its report. “While the focus on Prevent & Protect needs to be maintained, looking for breaches and quickly remediating them has increased in priority,” the report said.
Accepting the inevitable
The plans to increase spending on incident detection and response reflect a growing feeling among organizations that breaches are inevitable, said Dominic Trott, senior analyst at PAC. But there are important caveats, he said.
“Our survey shows that protect/prevent remains the largest portion of spend, and is set to remain so in two years time,” Trott said. While spending on detection and response will increase, perimeter tools will still account for six out of every 10 dollars spent on security in two years.
“No one is advocating that organizations should stop bothering with end-point security,” Trott said. “What we are seeing is that detect/respond style security approaches represent a growing share of security spending.”
The results come amid growing evidence that traditional perimeter tools are not only failing to prevent breaches but also do nothing to help organizations detect them. In PAC’s survey for instance, 67 percent of the respondents had suffered a data breach over the past year, while a full 100 percent said they had experienced a breach at least once in the past. Nearly seven in 10 of those who suffered a breach took between one month and six months on average to detect the breach.
Detection gets more difficult
The numbers are similar to those released by security vendor Trustwave earlier this year, which also showed that organizations are taking increasingly longer to detect network and system intrusions. Importantly, the survey also showed that a lack of incident detection-and response capabilities is seriously hindering the ability of many organizations to spot an intrusion into their networks. In more than eight out of 10 of the 574 breaches investigated by Trustwave last year, an external party reported the intrusion to the victim. In such situations, organizations took at least 126 days to detect the breach after initial intrusion, the Trustwave survey showed.
Despite this, most organizations have typically tended to give short shrift to computer security incident response capabilities at least till recently. A survey last January of 674 IT security professionals conducted by the Ponemon Institute on behalf of Lancope showed that more than a third did not have a formal capability in place to respond to a computer security incident. This was despite the fact that more than 80 percent agreed that investments in security incident response are worthwhile.
Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction
“One possible explanation is that incident response investments are viewed as reactive rather than preventative,” the report had noted. “Ideally, breaches would not occur, and therefore there would be no need for teams to respond to them.” Organizations on limited security budgets likely find it easier to justify spending on technologies that are designed to stop breaches than on measures for responding after a breach, the report said.
For most organizations, incident response is a service rather than a product, Trott added. Typically, in such situations, when a breach is detected, a third party is hired to conduct a forensic analysis to identity weak spots and threat activity and to close out any gaps.
“That being said, there are technologies that can be offered in association with this,” to improve response capabilities, Trott said. For example, incident response process tools are available these days from companies like Resilient Systems, which helps to make sure that users follow a robust process in reacting to an incident, he said. He noted that Resilient was one of the sponsors of the survey.
“Equally, there are appliances that sit within an organization’s IT environment and monitor activity to identify malware and anomalous behavior.”
More on emerging best practices
5 data protection tips for SMBs
What SMBs need to know about CISOs
Protecting your digital footprint in the post privacy era